This crackme was published December 7th, 2014. It is rated “3 – Getting harder”. The description reads:

First, sorry for my bad English my main language is German I have been created a keygenme, called Crackme#1 It is not so hard,but nothing for newbies. The difficulty is your choice. The Goal: Create a working keygen

In the first part of this solution I show how to reverse engineer the underlying math equation of this crackme. The second part then is all about solving the equation, this part is in large part copied from my solution for the crackme bb_crackme#1 by svan70

Part 1: Decompiling

I`m using IDA to disassemble the code. The author S!x0r gives a very nice hint in the comments of his crackme regarding IDA:

No special bignum. With the IDA flirt signature called “RESIGSv014PUB RE-SIGS v0.14 PUBLIC by dihux” You can create a label.map for OllyDBG Sorry for my bad English

Here the signatures by dihux really begin to shine; all subroutines get nice speaking names. The code calculates the MD5 sum of the shifted username and places the result – 16 bytes – at [eax]. The 5 most significant bytes are then replace by the constant value 5321783072. The result is then converted to a hex string with HexEncode.

Three Big Numbers

The crackme then initializes three big numbers. I called them m, n, and c (for reasons that will become clear later):

The numbers m and c are initialized with the value of Hex2bn(code), this means the code is a number in hexadecimal notation. The number n is initialized to Hex2bn(0xAD08D0361CC7FE8D1D3EAC5A68394C95), which is 230002204674084418548395124071717227669.

These lines first convert the variable c to a hex string, and store the result in code. The string code is then compared to the md5 string. If they match, then the code returns 1 and we get the goodboy message. This means

where m is the code that we enter.

Part 2: Solving the Equation

Solving the crackme is all about solving the following problem: given e, c and n, find m such that:me ≡ cmod n In other words, we need to find the eth root of c – which is hard in general. The exponent e = 216 + 1 = 65537 is a common choice for the public exponent in the RSA algorithm. This algorithm operates with moduli n that have two prime factors. Let’s see if that is the case for our n. I`m using the free computer algebra system PARI/GP to do the maths for me:

Sure enough our n is a valid RSA modulus (except of course it has way to many bits to be secure – this is key to break the crackme). In the RSA asymmetric encryption, the ciphertext $c \equiv m^e \mod{n}$ can be decrypted to the plaintext message m using the private key d:

In our case the ciphertexts is the md5 sum of the ROT − 1 of the username. The public key is e = 65537, and the modulus n is 230002204674084418548395124071717227669. If we can get the private key d we can calculate m.

The RSA Key Generation

Step 1 and 2 – n = p**q

Choose two distinct primes p and q and determine the product n. We have n and need to determine its two prime factors p and q. The RSA algorithm is based on the fact that this is not feasible if n is large enough. Lucky for us, n is quite small in this crackme and we can get the two factors very fast (again I`m using PARI/GP):